Getting "probed" by NTL customers.....

OK, what is going on? My FTP server which is running black ice defender is reporting people on NTL port scanning me, such as HTTP scans and FTP scans. Some one tried it 36 times, and I'm wanting to know if this is on purpose or they have caught a program that does this.

Any ideas?

[quadplay]

Port scans are against ntl's Residential Internet Terms & Conditions. Please report such activity to the Abuse team by visiting www.ntlworld.com/netreport

Thanks!

[Chris W]

It could be either... either way report it to the abuse team (www.ntlworld.com/netreport)

the policy on port scanning is three strikes and your out.

EDIT: Jimbo beat me to it...

It asks for evidence, but I can't find a program to open up Black Ice's evidence file. Any ideas of one on the net to show the proof of them both?

[Chris W]

what form is the output from black ice? there should be a text log file and you can just copy and paste the appropriate part

Black Ice uses .enc because it saves a packet and gives detailed information about it. I think I have found a decoder though

EDIT: This is going to be hard, it's a load of code I don't understand

[MetaWraith]

Extract from http://www.iss.net/security_center/a...14/default.htm

The Packet Log and Evidence Log features of BlackICE generate files with the extension ".enc". These ".enc" files contain actual network traffic and in the case of evidence files, they contain traffic that was part of the detected attacks. These files are not readable by normal text editor programs, such as Notepad, but must instead be decoded by standard protocol analyzer programs (sniffers) that network technicians typically use to analyze network traffic.

You can find sniffers (protocol analyzers) to read the packet log and evidence log files at the following web sites:

• www.nai.com
• www.ethereal.com

That said, you can read some of the log in texteditors like notepad, but not much of it will make sense, unless some plain text was included in the packet that triggered the capture

What part on Ethereal am I supposed to copy and past? I found the IP of the attacker and the port he scanned me (80), but in the middle window I don't know what lines I need to tell NTL about.

All NTL really need are the IP, the port scanned and the time/frequency of the scans. Unless it is persistant then it is probably not worth bothering.

[Chris W]

Quote:

Originally Posted by Electrolyte

What part on Ethereal am I supposed to copy and past? I found the IP of the attacker and the port he scanned me (80), but in the middle window I don't know what lines I need to tell NTL about.

might as well copy all information that you think might be relevant... someone working for the abuse team can sort through it

At the time of the Blaster/ Welchia worms i was sending 150+ pages of router logs everyday to one of the teams at work so they could get all of the ips. Needless to say they did a pretty good job of sorting through them

[deadite66]

install http://www.mynetwatchman.com/ and let them automaticaly send reports to the isp for you.

like this naughty ntlworld user. http://www.mynetwatchman.com/LID.asp?IID=101544654

Thanks for that program, i'm installing it right away because I am being attacked from loads of people

[iadom]

I use this. http://www.visualizesoftware.com/for Zone Alarm, they do a version for Black Ice, not free but produces loads of extra info on your firewall activity and can generate email messages from within the program that you can send to abuse@ anywhere.

I installed mynetwatchman, and it sent off all the "possible" attacks I had in my Black Ice attack list. At least it's automatic

[poolking]

Are you positive they are "attacks" it could just be normal internet traffic?